Category: Security

WordPress Plugin Security Alert

Earlier this week, a friend (who, for the purposes of this post is named Stephen) relayed a story to me of an email that one of his friends had received recently.

This friend – let’s call him John – runs a local business that requires advance bookings from customers. He runs his entire booking calendar through his website, and as well as customers being able to register an account and book through the website, he can also create bookings on behalf of customers from the administration panel.

It’s this latter scenario that gave rise to the situation I’m about to delve into. John had booked this customer in to his calendar through the admin panel of his WordPress-powered website, and the customer received a confirmation email containing a “Manage Account” link.

The customer clicked this link to view his booking details, and was surprised to find that he could see a lot more bookings than just his own! He, very responsibly, emailed John to let him know, who then in turn got in touch with Stephen (who had built the website) and Stephen then relayed this whole story to me.

Immediately my ears pricked up – that’s not a great situation for a customer to find, as it suggests deep-seated problems with the website’s security, so I volunteered to take a look. The following is what I found…

Security isn’t a dirty word, Blackadder

I’m often surprised at just how some websites treat their users when it comes to security.

As any decent website developer knows, one of the basic tenets of application security is that you should never store a user’s password in an unencrypted format – and you shouldn’t really be storing a password in an encrypted format, either. The correct way to deal with storing a password is to use a password hashing algorithm (note: “password hashing”, not just “hashing”)

I’m not going to pretend that I’m perfect at this. It took me an embarrassingly long time to stop using MD5 for hashing passwords in my code (although, in my defence, it was at least salted and not just a straight hash) but I caught up with the zeitgeist and all’s well again. Of course, it seems these days I do most of my work with existing frameworks and applications, so don’t really have to worry too much about that kind of thing any more.

The fact that there are so many frameworks and other tools out there to help devs with this kind of thing just makes it all the more upsetting when I see someone doing it so drastically wrong. Someone like whoever it was that developed KidsPass.co.uk

For those unfamiliar, Kids Pass is a website aimed at parents that offers many discounts and other offers on things to do with their little’uns. It’s not a website aimed at children, which is just as well because with password security as poor as theirs that would be absolutely terrifying.

Don’t panic, 123-reg aren’t phishing!

At work, we use 123-reg to handle our domain registrations. They’re not the cheapest domain registrar, but they’re not far off, and they don’t charge extra for things like changing IPS TAG or allowing access to DNS management.

Their automated renewal systems are generally pretty bullet-proof too, and apart from a couple of issues with their website over the years we’ve used them, we’ve had no complaints.

But what I can’t work out – for the life of me – is why they’ve changed their auto-invoice e-mails to ensure that everyone clued up on spam and phishing e-mails automatically assumes that it’s a fake e-mail.

Like and Share this post to win £1,000,000!

Over the last few weeks, I’ve noticed a trend of new “scams” on Facebook. I’ve put that in quotes, because I can’t really see how the “scammer” benefits other than getting more likes and shares on their Facebook pages, but maybe there is some nasty data-sharing going on that I’m not aware of.

Privacy Policy & Powered by WordPress & Theme by Anders Norén